Microsoft, Google Reveal New Processor-Based PC Vulnerability

Share & comment

Microsoft, Google Reveal New Processor-Based PC Vulnerability

Share & comment

Security experts at Microsoft and Google say they have discovered a new form of the Spectre and Meltdown bug which hit PCs earlier this year.

That’s according to a new report from The Verge, which explains that Spectre is a wide-reaching vulnerability that, alongside the Meltdown issue, affects a host of major CPUs.

The bug, known as Speculative Store Bypass Variant 4 (Meltdown and Spectre collectively make up variants 1-3), impacts Intel, AMD, and ARM processors. If exploited, an attacker could abuse the bug to access data that is meant to be stored out of reach. It particularly could expose certain components often used in web browsing that are meant to be isolated, for example, a JavaScript module that shows ads.

The new variant can be exploited by running script files (or text files which contain a sequence of commands) on programs like web browsers. If hackers manage to successfully exploit this vulnerability, they’ll be able to get sensitive information off other parts of the program, like another tab in the case of browsers.

Intel, however, has classified the new bug as medium risk, explaining in a blog post that most of the exploits it uses were fixed in the original wave of patches that were rolled out.

“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” said Intel’s vice president of Product Assurance and Security.

Chips from Intel, AMD and ARM all have patches available, either directly from the makers or through software suppliers such as Microsoft. Intel said it expects a performance slowdown of between 2 percent and 8 percent from the patches, and ARM said it expects a slowdown of between 1 percent and 2 percent.

However, Intel said that because of the low risk of a real-world attack, it would ship its patches turned off by default, giving users the choice whether to turn them on. AMD also advised leaving the patches turned off due to the difficulty of carrying out an attack.